US20100070776A1 - Logging system events - Google Patents
Logging system events Download PDFInfo
- Publication number
- US20100070776A1 US20100070776A1 US12/263,506 US26350608A US2010070776A1 US 20100070776 A1 US20100070776 A1 US 20100070776A1 US 26350608 A US26350608 A US 26350608A US 2010070776 A1 US2010070776 A1 US 2010070776A1
- Authority
- US
- United States
- Prior art keywords
- log
- intrusion detection
- processing system
- data processing
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
Definitions
- host-based intrusion detection systems include a mechanism to report activity on a node to a centralized server through a network.
- US Patent Application No. 2002/0046350 discloses a system and method for establishing a log file which may be used to create an audit trail.
- a centralized server maintains a log file of actions performed by a requester and the security server which are related to protected objects.
- FIG. 1 shows a block diagram of a data processing system
- FIG. 2 shows a flow diagram illustrating steps involved in a method of logging a system event
- FIG. 3 shows a flow diagram illustrating steps involved in a method of restoring a log of system events from a log file
- FIG. 4 is a flow diagram showing steps involved in a method of sending a log event to a server.
- FIG. 1 shows data processing system 100 .
- Data processing system 100 comprises processor 110 , memory 120 and non-volatile storage 130 .
- Data processing system 100 is connected to server 150 by network 140 .
- Data processing system 100 may be a node of an IT system, and server 150 may be a centralized system which securely stores a log of activities received through network 140 .
- the data processing system 100 may further comprise an intrusion detection thread 112 operable to allocate an area of the memory 120 for a log 122 .
- the intrusion detection thread 112 may be operable to receive data indicative of a log event and to synchronize the log 122 with the log file 134 .
- Processor 110 executes intrusion detection thread 112 and intrusion detection agent 114 .
- Intrusion detection agent 114 monitors the activities of an administrator or user on data processing system 100 .
- Intrusion detection agent 114 sends data indicative of system events which are detected by intrusion detection agent 114 to intrusion detection thread 112 .
- Intrusion detection thread 112 stores data indicative of system events in log 122 which is stored in memory 120 .
- intrusion detection thread 112 allocates a portion of memory 120 for log 122 .
- Intrusion detection agent 114 may mark log 122 as read only. This prevents other processes and applications from changing the data stored in log 122 .
- Intrusion detection agent 114 reads data from log 122 and sends the data indicative of the log event via network 140 to server 150 .
- Intrusion detection thread 112 and intrusion detection agent 114 may be operating system components.
- Intrusion detection thread 112 may be a kernel thread, this thread may be implemented as an extension to an existing intrusion detection logging thread, or as an explicitly created kernel thread when the operating system is taken into a single user mode.
- a kernel thread as understood herein is a fraction of a program running in the kernel process.
- a kernel thread exists within the context of a process and provides an operating system the means to address and execute smaller segments of the process. It also enables programs to take advantage of capabilities provided by the hardware for concurrent and parallel processing.
- a single user mode allows the system to be booted for a single super user, forbidding other users to log into the system during a period of time. In general, this is a temporary mode where the system is taken into this mode for maintenance purposes.
- Intrusion detection thread 112 synchronizes log 122 with a log file 134 stored in non-volatile storage 130 .
- Non-volatile storage 130 may be for example a hard disc drive.
- Log file 134 is stored in a firmware partition 132 of non-volatile storage 130 .
- Firmware partition 132 may be inaccessible to a user or administrator of data processing system 100 .
- Firmware partition 132 may be implemented for example as an extensible firmware interface partition or other early boot firmware partition of non-volatile storage 130 .
- Log file 134 may be stored in an encrypted format. This would provide a further security against a malicious user or administrator from modifying log file 134 .
- Intrusion detection thread 112 may synchronize log 122 to log file 134 periodically, after the reception of a certain number of events, or according to other criteria. When data processing system 100 is shut down, intrusion detection thread 112 synchronizes log 122 to log file 134 as part of the shutdown process. This ensures that all user activity is recorded in log file 134 , and that a malicious user or administrator cannot avoid his or her activities from being detected and recorded by restarting or shutting down the system. Upon boot up of data processing system 100 , intrusion detection thread may read log file 134 and record or write all events into log 122 stored in memory 120 . The events are the contents of the log file 134 .
- intrusion detection agent 114 log events to server 150 via network 140 , they may be deleted from log 122 stored in memory 120 and log file 134 stored in non-volatile storage 130 .
- the kernel thread running in the kernel process, may not be terminated by an administrator and detects all changes in the data processing system 100 .
- the kernel thread logs the changes to a portion of the memory 120 , securing audit records of changes from a malicious super user or administrator.
- the data processing system 100 may keep the log events communicated to a central server and logs the system activity events to a special region in the memory 120 . It also synchronizes the logs in memory 120 to a log file 134 on the disk.
- the log file 134 is created in a disk area accessible by the firmware that can be read by the kernel thread. This avoids an administrator from corrupting the log file.
- the data processing system 100 increases the accountability of the root administrator's activity in the single user mode. It also provides integrity of the audit records even when the system is not available in network mode, for example during system failures or reboots.
- the data processing system 100 returns to an operational mode that enables the network connection between the data processing system 100 and the central console, the contents of the log file and in the log information in memory 120 is communicated back to the centralized console. All the activities of the data processing system 100 in a data center are logged and tracked, protecting it from security breaches.
- FIG. 2 shows a method 200 for logging system events.
- Method 200 may be carried out by an intrusion detection thread such as that shown as intrusion detection thread 122 in FIG. 1 .
- a memory area is allocated for the log.
- the area of memory allocated for the log in step 202 may be marked as read only.
- data indicative of a log event is received.
- the data received may be from an intrusion detection agent such as intrusion detection agent 114 in FIG. 1 .
- the data received indicative of a log event is stored in the log. Following storage of the data in the log, memory location where the data is stored may be marked read only to prevent other applications or processes from filing or deleting the log data.
- step 208 the data stored in the memory is synchronized to a log file stored in non-volatile storage.
- the log file in non-volatile storage may be inaccessible to a user or administrator of the system to prevent the user or administrator from changing the data.
- the method 200 is computer-implemented, such as by a client or a server computer.
- the log file 134 is inaccessible to a user or administrator. In that way, a malicious administrator cannot alter or corrupt the log files and remove traces of malicious activity. Furthermore, as the log file 134 is stored in non-volatile storage 130 , rebooting or restarting the system does not remove the data stored in the log file 134 .
- the method may further comprise the step of sending the data to a server via a network. This step may be carried out by an intrusion detection agent.
- the intrusion detection agent may also monitor the system and send the data indicative of a log event to the intrusion detection thread in step 204 .
- Method 200 may be triggered by detecting that a data processing system has been taken into a single user mode. Alternatively, method 200 may be triggered at boot up of a data processing system. Thus, the method may be executed when the data processing system 100 is taken into a single user mode, for example by disconnecting it from a network.
- the data When the data is stored in the log file in step 208 , the data may be encrypted. This provides a further protection of the data stored in the log file 134 from a malicious user or administrator.
- FIG. 3 shows a method 300 showing the steps undertaken upon boot up of a data processing system.
- a memory area is allocated for the log.
- the contents of the log files stored in non-volatile storage are read.
- the contents read from the log file are stored in the log in the memory area.
- the log 122 may be restored from the non-volatile storage 130 to the memory 120 area.
- the method may further comprise the step of marking the memory area as read only. In this way, other processes and applications are prevented from overwriting the memory.
- the non-volatile storage 130 may be a partition accessible by early boot firmware.
- FIG. 4 shows a method 400 which may be undertaken by an intrusion detection agent such as intrusion detection agent 114 shown in FIG. 1 .
- the intrusion detection agent checks network availability.
- the intrusion detection agent receives a log event from the intrusion detection thread. This may be in response to a request.
- the intrusion detection thread may supply the log events to the intrusion detection agent in a first in-first out order. Such an order would be the same order in which the events were received by the intrusion detection thread, which would be the order in which the events occurred.
- the events are sent to the server.
- the methods described above may be implemented as a hardware embodiment, a software embodiment, or a combination of the two.
- the methods may be implemented as a computer program product comprising computer readable instructions which when executed on a computer would cause the computer to execute the methods described above.
Abstract
-
- allocating a memory area for a log;
- receiving data indicative of a log event;
- storing said data in said memory area;
- synchronising data in said memory area to a log file stored in non-volatile storage, the non-volatile storage and the memory area being inaccessible to a user or an administrator.
Description
- Benefit is claimed under 35 U.S.C. 119(a)-(d) to Foreign application Ser No. 2268/CHE/2008 entitled “LOGGING SYSTEM EVENTS” by Hewlett-Packard Development Company, L.P., filed on 17 Sep. 2008, which is herein incorporated in its entirety by reference for all purposes.
- There is an increasing trend for the outsourcing of information technology systems. As a result of this, the administration of information technology systems may additionally be outsourced. The administrator of an information technology system often has the ability to access and modify elements of an information technology system. In such systems, the maintenance of logs and audit trails of actions of an administrator allowed malicious activity by such an administrator to be detected. For example, host-based intrusion detection systems include a mechanism to report activity on a node to a centralized server through a network.
- US Patent Application No. 2002/0046350 discloses a system and method for establishing a log file which may be used to create an audit trail.
- A centralized server maintains a log file of actions performed by a requester and the security server which are related to protected objects.
- Such systems however require that the network be connected. A malicious administrator could disable the network, and perform a malicious act, and remove any trace from system logs before connecting back to the network.
- In the following, embodiments of the invention will be described, by way of example only, and with reference to the drawings in which:
-
FIG. 1 shows a block diagram of a data processing system, -
FIG. 2 shows a flow diagram illustrating steps involved in a method of logging a system event, -
FIG. 3 shows a flow diagram illustrating steps involved in a method of restoring a log of system events from a log file, -
FIG. 4 is a flow diagram showing steps involved in a method of sending a log event to a server. -
FIG. 1 showsdata processing system 100.Data processing system 100 comprisesprocessor 110,memory 120 andnon-volatile storage 130.Data processing system 100 is connected toserver 150 bynetwork 140.Data processing system 100 may be a node of an IT system, andserver 150 may be a centralized system which securely stores a log of activities received throughnetwork 140. Thedata processing system 100 may further comprise anintrusion detection thread 112 operable to allocate an area of thememory 120 for alog 122. Theintrusion detection thread 112 may be operable to receive data indicative of a log event and to synchronize thelog 122 with thelog file 134. -
Processor 110 executesintrusion detection thread 112 andintrusion detection agent 114.Intrusion detection agent 114 monitors the activities of an administrator or user ondata processing system 100.Intrusion detection agent 114 sends data indicative of system events which are detected byintrusion detection agent 114 tointrusion detection thread 112.Intrusion detection thread 112 stores data indicative of system events inlog 122 which is stored inmemory 120. When activated,intrusion detection thread 112 allocates a portion ofmemory 120 forlog 122.Intrusion detection agent 114 maymark log 122 as read only. This prevents other processes and applications from changing the data stored inlog 122. -
Intrusion detection agent 114 reads data fromlog 122 and sends the data indicative of the log event vianetwork 140 toserver 150.Intrusion detection thread 112 andintrusion detection agent 114 may be operating system components.Intrusion detection thread 112 may be a kernel thread, this thread may be implemented as an extension to an existing intrusion detection logging thread, or as an explicitly created kernel thread when the operating system is taken into a single user mode. - A kernel thread as understood herein is a fraction of a program running in the kernel process. A kernel thread exists within the context of a process and provides an operating system the means to address and execute smaller segments of the process. It also enables programs to take advantage of capabilities provided by the hardware for concurrent and parallel processing.
- A single user mode allows the system to be booted for a single super user, forbidding other users to log into the system during a period of time. In general, this is a temporary mode where the system is taken into this mode for maintenance purposes.
-
Intrusion detection thread 112 synchronizeslog 122 with alog file 134 stored innon-volatile storage 130. Non-volatilestorage 130 may be for example a hard disc drive.Log file 134 is stored in afirmware partition 132 ofnon-volatile storage 130.Firmware partition 132 may be inaccessible to a user or administrator ofdata processing system 100.Firmware partition 132 may be implemented for example as an extensible firmware interface partition or other early boot firmware partition ofnon-volatile storage 130. Logfile 134 may be stored in an encrypted format. This would provide a further security against a malicious user or administrator from modifyinglog file 134. -
Intrusion detection thread 112 may synchronizelog 122 to logfile 134 periodically, after the reception of a certain number of events, or according to other criteria. Whendata processing system 100 is shut down,intrusion detection thread 112 synchronizeslog 122 to logfile 134 as part of the shutdown process. This ensures that all user activity is recorded inlog file 134, and that a malicious user or administrator cannot avoid his or her activities from being detected and recorded by restarting or shutting down the system. Upon boot up ofdata processing system 100, intrusion detection thread may readlog file 134 and record or write all events intolog 122 stored inmemory 120. The events are the contents of thelog file 134. - As
intrusion detection agent 114 log events toserver 150 vianetwork 140, they may be deleted fromlog 122 stored inmemory 120 andlog file 134 stored innon-volatile storage 130. - The kernel thread, running in the kernel process, may not be terminated by an administrator and detects all changes in the
data processing system 100. The kernel thread logs the changes to a portion of thememory 120, securing audit records of changes from a malicious super user or administrator. Thedata processing system 100 may keep the log events communicated to a central server and logs the system activity events to a special region in thememory 120. It also synchronizes the logs inmemory 120 to alog file 134 on the disk. Thelog file 134 is created in a disk area accessible by the firmware that can be read by the kernel thread. This avoids an administrator from corrupting the log file. - The
data processing system 100 increases the accountability of the root administrator's activity in the single user mode. It also provides integrity of the audit records even when the system is not available in network mode, for example during system failures or reboots. When thedata processing system 100 returns to an operational mode that enables the network connection between thedata processing system 100 and the central console, the contents of the log file and in the log information inmemory 120 is communicated back to the centralized console. All the activities of thedata processing system 100 in a data center are logged and tracked, protecting it from security breaches. -
FIG. 2 shows amethod 200 for logging system events.Method 200 may be carried out by an intrusion detection thread such as that shown asintrusion detection thread 122 inFIG. 1 . In step 202 a memory area is allocated for the log. The area of memory allocated for the log instep 202 may be marked as read only. Instep 204, data indicative of a log event is received. The data received may be from an intrusion detection agent such asintrusion detection agent 114 inFIG. 1 . Instep 206, the data received indicative of a log event is stored in the log. Following storage of the data in the log, memory location where the data is stored may be marked read only to prevent other applications or processes from filing or deleting the log data. Instep 208, the data stored in the memory is synchronized to a log file stored in non-volatile storage. The log file in non-volatile storage may be inaccessible to a user or administrator of the system to prevent the user or administrator from changing the data. Themethod 200 is computer-implemented, such as by a client or a server computer. - As the kernel thread runs in the kernel process and the
log 122 is stored in a read mode, thelog file 134 is inaccessible to a user or administrator. In that way, a malicious administrator cannot alter or corrupt the log files and remove traces of malicious activity. Furthermore, as thelog file 134 is stored innon-volatile storage 130, rebooting or restarting the system does not remove the data stored in thelog file 134. - The method may further comprise the step of sending the data to a server via a network. This step may be carried out by an intrusion detection agent. The intrusion detection agent may also monitor the system and send the data indicative of a log event to the intrusion detection thread in
step 204. -
Method 200 may be triggered by detecting that a data processing system has been taken into a single user mode. Alternatively,method 200 may be triggered at boot up of a data processing system. Thus, the method may be executed when thedata processing system 100 is taken into a single user mode, for example by disconnecting it from a network. - When the data is stored in the log file in
step 208, the data may be encrypted. This provides a further protection of the data stored in thelog file 134 from a malicious user or administrator. -
FIG. 3 shows amethod 300 showing the steps undertaken upon boot up of a data processing system. Instep 302, a memory area is allocated for the log. Instep 304, the contents of the log files stored in non-volatile storage are read. Instep 306, the contents read from the log file are stored in the log in the memory area. Thus, thelog 122 may be restored from thenon-volatile storage 130 to thememory 120 area. - The method may further comprise the step of marking the memory area as read only. In this way, other processes and applications are prevented from overwriting the memory. 120 The
non-volatile storage 130 may be a partition accessible by early boot firmware. -
FIG. 4 shows amethod 400 which may be undertaken by an intrusion detection agent such asintrusion detection agent 114 shown inFIG. 1 . Instep 402, the intrusion detection agent checks network availability. Instep 404, the intrusion detection agent receives a log event from the intrusion detection thread. This may be in response to a request. The intrusion detection thread may supply the log events to the intrusion detection agent in a first in-first out order. Such an order would be the same order in which the events were received by the intrusion detection thread, which would be the order in which the events occurred. Instep 406, the events are sent to the server. - The methods described above may be implemented as a hardware embodiment, a software embodiment, or a combination of the two. The methods may be implemented as a computer program product comprising computer readable instructions which when executed on a computer would cause the computer to execute the methods described above.
- 100 data processing system
- 110 processor
- 112 intrusion detection thread
- 114 intrusion detection agent
- 120 memory
- 122 log
- 130 non-volatile storage
- 132 firmware partition
- 134 log file
- 140 network
- 150 server
- 200 method
- 202 allocate memory area for log
- 204 receive data indicative of log event
- 206 store data in log
- 208 store data in log file
- 300 method
- 302 allocate memory area for log
- 304 read contents of log file
- 306 store contents of log file in log
- 400 method
- 402 check network available
- 404 receive log event from intrusion detection thread
- 406 send to server
Claims (15)
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
IN2268CH2008 | 2008-09-17 | ||
IN2268/CHE/2008 | 2008-09-17 |
Publications (1)
Publication Number | Publication Date |
---|---|
US20100070776A1 true US20100070776A1 (en) | 2010-03-18 |
Family
ID=42008289
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/263,506 Abandoned US20100070776A1 (en) | 2008-09-17 | 2008-11-03 | Logging system events |
Country Status (1)
Country | Link |
---|---|
US (1) | US20100070776A1 (en) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140013141A1 (en) * | 2012-07-03 | 2014-01-09 | Samsung Electronics Co. Ltd. | Method and apparatus for controlling sleep mode in portable terminal |
US8938805B1 (en) * | 2012-09-24 | 2015-01-20 | Emc Corporation | Detection of tampering with software installed on a processing device |
US20150089304A1 (en) * | 2013-09-20 | 2015-03-26 | Oracle International Corporation | User-directed logging and auto-correction |
WO2016095151A1 (en) * | 2014-12-18 | 2016-06-23 | Hua Zhong University Of Science Technology | Storing log records in a non-volatile memory |
CN105843754A (en) * | 2016-03-23 | 2016-08-10 | 山东超越数控电子有限公司 | Log information storage method for solid-state hard disk |
US9485271B1 (en) * | 2014-03-11 | 2016-11-01 | Symantec Corporation | Systems and methods for anomaly-based detection of compromised IT administration accounts |
EP3168747A1 (en) * | 2015-11-13 | 2017-05-17 | Xiaomi Inc. | Method and device for monitoring a file in a system partition |
US10327583B2 (en) * | 2017-03-06 | 2019-06-25 | Keenwawa, Inc. | Automatic food preparation apparatus |
CN113961151A (en) * | 2021-11-02 | 2022-01-21 | 锐凌无线通讯科技(深圳)有限公司 | Fault log storage method and device, electronic equipment and storage medium |
US11361071B2 (en) * | 2017-04-20 | 2022-06-14 | Huntress Labs Incorporated | Apparatus and method for conducting endpoint-network-monitoring |
AT525553A4 (en) * | 2021-12-21 | 2023-05-15 | Avl Ditest Gmbh | Measuring device and method of operating a measuring device |
Citations (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6098171A (en) * | 1998-03-31 | 2000-08-01 | International Business Machines Corporation | Personal computer ROM scan startup protection |
US20020046350A1 (en) * | 2000-09-14 | 2002-04-18 | Lordemann David A. | Method and system for establishing an audit trail to protect objects distributed over a network |
US20020099666A1 (en) * | 2000-11-22 | 2002-07-25 | Dryer Joseph E. | System for maintaining the security of client files |
US20030084340A1 (en) * | 2001-10-31 | 2003-05-01 | Schertz Richard L. | System and method of graphically displaying data for an intrusion protection system |
US6622116B2 (en) * | 1995-04-17 | 2003-09-16 | Research Investment Network, Inc. | Time and activity tracker |
US20030196100A1 (en) * | 2002-04-15 | 2003-10-16 | Grawrock David W. | Protection against memory attacks following reset |
US20040098623A1 (en) * | 2002-10-31 | 2004-05-20 | Secnap Network Security, Llc | Intrusion detection system |
US20050005101A1 (en) * | 2003-07-03 | 2005-01-06 | Yenduri Bhargava K. | Kernel cryptographic module signature verification system and method |
US6986052B1 (en) * | 2000-06-30 | 2006-01-10 | Intel Corporation | Method and apparatus for secure execution using a secure memory partition |
US7089428B2 (en) * | 2000-04-28 | 2006-08-08 | Internet Security Systems, Inc. | Method and system for managing computer security information |
US7127579B2 (en) * | 2002-03-26 | 2006-10-24 | Intel Corporation | Hardened extended firmware interface framework |
US7302698B1 (en) * | 1999-09-17 | 2007-11-27 | Hewlett-Packard Development Company, L.P. | Operation of trusted state in computing platform |
US20080229406A1 (en) * | 2005-10-19 | 2008-09-18 | Samsung Electronics Co., Ltd. | Method and apparatus for exclusively controlling a device in a home network |
US7506380B2 (en) * | 2005-01-14 | 2009-03-17 | Microsoft Corporation | Systems and methods for boot recovery in a secure boot process on a computer with a hardware security module |
US20090132579A1 (en) * | 2007-11-21 | 2009-05-21 | Kwang Edward M | Session audit manager and method |
US7551073B2 (en) * | 2007-01-10 | 2009-06-23 | International Business Machines Corporation | Method, system and program product for alerting an information technology support organization of a security event |
US20090199212A1 (en) * | 2008-02-04 | 2009-08-06 | Red Hat, Inc. | Configuration interface manager |
US7617534B1 (en) * | 2005-08-26 | 2009-11-10 | Symantec Corporation | Detection of SYSENTER/SYSCALL hijacking |
US7634507B2 (en) * | 2006-08-30 | 2009-12-15 | Inmage Systems, Inc. | Ensuring data persistence and consistency in enterprise storage backup systems |
US7652982B1 (en) * | 2005-11-16 | 2010-01-26 | Juniper Networks, Inc. | Providing high availability network services |
US7657939B2 (en) * | 2005-03-14 | 2010-02-02 | International Business Machines Corporation | Computer security intrusion detection system for remote, on-demand users |
US7690033B2 (en) * | 2004-09-28 | 2010-03-30 | Exobox Technologies Corp. | Electronic computer system secured from unauthorized access to and manipulation of data |
US7752166B2 (en) * | 2001-11-15 | 2010-07-06 | Visto Corporation | System and methods for asynchronous synchronization |
-
2008
- 2008-11-03 US US12/263,506 patent/US20100070776A1/en not_active Abandoned
Patent Citations (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6622116B2 (en) * | 1995-04-17 | 2003-09-16 | Research Investment Network, Inc. | Time and activity tracker |
US6098171A (en) * | 1998-03-31 | 2000-08-01 | International Business Machines Corporation | Personal computer ROM scan startup protection |
US7302698B1 (en) * | 1999-09-17 | 2007-11-27 | Hewlett-Packard Development Company, L.P. | Operation of trusted state in computing platform |
US7089428B2 (en) * | 2000-04-28 | 2006-08-08 | Internet Security Systems, Inc. | Method and system for managing computer security information |
US6986052B1 (en) * | 2000-06-30 | 2006-01-10 | Intel Corporation | Method and apparatus for secure execution using a secure memory partition |
US20020046350A1 (en) * | 2000-09-14 | 2002-04-18 | Lordemann David A. | Method and system for establishing an audit trail to protect objects distributed over a network |
US20020099666A1 (en) * | 2000-11-22 | 2002-07-25 | Dryer Joseph E. | System for maintaining the security of client files |
US20030084340A1 (en) * | 2001-10-31 | 2003-05-01 | Schertz Richard L. | System and method of graphically displaying data for an intrusion protection system |
US7752166B2 (en) * | 2001-11-15 | 2010-07-06 | Visto Corporation | System and methods for asynchronous synchronization |
US7127579B2 (en) * | 2002-03-26 | 2006-10-24 | Intel Corporation | Hardened extended firmware interface framework |
US20030196100A1 (en) * | 2002-04-15 | 2003-10-16 | Grawrock David W. | Protection against memory attacks following reset |
US20040098623A1 (en) * | 2002-10-31 | 2004-05-20 | Secnap Network Security, Llc | Intrusion detection system |
US20050005101A1 (en) * | 2003-07-03 | 2005-01-06 | Yenduri Bhargava K. | Kernel cryptographic module signature verification system and method |
US7690033B2 (en) * | 2004-09-28 | 2010-03-30 | Exobox Technologies Corp. | Electronic computer system secured from unauthorized access to and manipulation of data |
US7506380B2 (en) * | 2005-01-14 | 2009-03-17 | Microsoft Corporation | Systems and methods for boot recovery in a secure boot process on a computer with a hardware security module |
US7657939B2 (en) * | 2005-03-14 | 2010-02-02 | International Business Machines Corporation | Computer security intrusion detection system for remote, on-demand users |
US7617534B1 (en) * | 2005-08-26 | 2009-11-10 | Symantec Corporation | Detection of SYSENTER/SYSCALL hijacking |
US20080229406A1 (en) * | 2005-10-19 | 2008-09-18 | Samsung Electronics Co., Ltd. | Method and apparatus for exclusively controlling a device in a home network |
US7652982B1 (en) * | 2005-11-16 | 2010-01-26 | Juniper Networks, Inc. | Providing high availability network services |
US7634507B2 (en) * | 2006-08-30 | 2009-12-15 | Inmage Systems, Inc. | Ensuring data persistence and consistency in enterprise storage backup systems |
US7551073B2 (en) * | 2007-01-10 | 2009-06-23 | International Business Machines Corporation | Method, system and program product for alerting an information technology support organization of a security event |
US20090132579A1 (en) * | 2007-11-21 | 2009-05-21 | Kwang Edward M | Session audit manager and method |
US20090199212A1 (en) * | 2008-02-04 | 2009-08-06 | Red Hat, Inc. | Configuration interface manager |
Cited By (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9851779B2 (en) * | 2012-07-03 | 2017-12-26 | Samsung Electronics Co., Ltd. | Method and apparatus for controlling sleep mode using a low power processor in portable terminal |
US20140013141A1 (en) * | 2012-07-03 | 2014-01-09 | Samsung Electronics Co. Ltd. | Method and apparatus for controlling sleep mode in portable terminal |
US8938805B1 (en) * | 2012-09-24 | 2015-01-20 | Emc Corporation | Detection of tampering with software installed on a processing device |
US9811433B2 (en) | 2013-09-20 | 2017-11-07 | Oracle International Corporation | User-directed diagnostics and auto-correction |
US20150089304A1 (en) * | 2013-09-20 | 2015-03-26 | Oracle International Corporation | User-directed logging and auto-correction |
US9836371B2 (en) * | 2013-09-20 | 2017-12-05 | Oracle International Corporation | User-directed logging and auto-correction |
US9485271B1 (en) * | 2014-03-11 | 2016-11-01 | Symantec Corporation | Systems and methods for anomaly-based detection of compromised IT administration accounts |
WO2016095151A1 (en) * | 2014-12-18 | 2016-06-23 | Hua Zhong University Of Science Technology | Storing log records in a non-volatile memory |
RU2639898C2 (en) * | 2015-11-13 | 2017-12-25 | Сяоми Инк. | Method and device for monitoring file in system section |
EP3168747A1 (en) * | 2015-11-13 | 2017-05-17 | Xiaomi Inc. | Method and device for monitoring a file in a system partition |
CN105843754A (en) * | 2016-03-23 | 2016-08-10 | 山东超越数控电子有限公司 | Log information storage method for solid-state hard disk |
US10327583B2 (en) * | 2017-03-06 | 2019-06-25 | Keenwawa, Inc. | Automatic food preparation apparatus |
US11096519B2 (en) | 2017-03-06 | 2021-08-24 | Keenwawa, Inc. | Automatic food preparation apparatus |
US11698963B2 (en) * | 2017-04-20 | 2023-07-11 | Huntress Labs Incorporated | Apparatus and method for conducting endpoint-network-monitoring |
US11361071B2 (en) * | 2017-04-20 | 2022-06-14 | Huntress Labs Incorporated | Apparatus and method for conducting endpoint-network-monitoring |
US20230004640A1 (en) * | 2017-04-20 | 2023-01-05 | Huntress Labs Incorporated | Apparatus and method for conducting endpoint-network-monitoring |
US20230394138A1 (en) * | 2017-04-20 | 2023-12-07 | Huntress Labs Incorporated | Apparatus and method for conducting endpoint-network-monitoring |
CN113961151A (en) * | 2021-11-02 | 2022-01-21 | 锐凌无线通讯科技(深圳)有限公司 | Fault log storage method and device, electronic equipment and storage medium |
AT525553B1 (en) * | 2021-12-21 | 2023-05-15 | Avl Ditest Gmbh | Measuring device and method of operating a measuring device |
AT525553A4 (en) * | 2021-12-21 | 2023-05-15 | Avl Ditest Gmbh | Measuring device and method of operating a measuring device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20100070776A1 (en) | Logging system events | |
US8955108B2 (en) | Security virtual machine for advanced auditing | |
US11295021B2 (en) | Using a threat model to monitor host execution in a virtualized environment | |
US9843564B2 (en) | Securing data using integrated host-based data loss agent with encryption detection | |
US11120011B2 (en) | Database transaction log writing and integrity checking | |
AU2015279922B2 (en) | Automated code lockdown to reduce attack surface for software | |
US9069955B2 (en) | File system level data protection during potential security breach | |
US20180189490A1 (en) | Ransomware detection and damage mitigation | |
US20060294589A1 (en) | Method/system to speed up antivirus scans using a journal file system | |
US8095979B2 (en) | Analysis of event information to perform contextual audit | |
CN102884535A (en) | Protected device management | |
US7516317B2 (en) | Measuring an operating system's boot duration | |
US7895124B2 (en) | Method for protecting sensitive data during execution | |
Matthews et al. | Data protection and rapid recovery from attack with a virtual private file server and virtual machine appliances | |
US10783041B2 (en) | Backup and recovery of data files using hard links | |
US20230056426A1 (en) | Behavior-Based VM Resource Capture for Forensics | |
US20110035808A1 (en) | Rootkit-resistant storage disks | |
US8978151B1 (en) | Removable drive security monitoring method and system | |
JP2001142764A (en) | Log file protecting system | |
TWI607338B (en) | Storage device, data protection method therefor, and data protection system | |
Butler et al. | Rootkit-resistant disks | |
US9098676B2 (en) | System and methods for detecting rollback | |
US10896085B2 (en) | Mitigating actions | |
US20120185444A1 (en) | Clock Monitoring in a Data-Retention Storage System | |
US10310948B2 (en) | Evaluation of risk of data loss and backup procedures |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P.,TEXAS Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:RAMAN, SHANKAR;MUPPIRALA, KISHORE KUMAR;BANDI, SRIDHAR;REEL/FRAME:021776/0019 Effective date: 20080916 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- AFTER EXAMINER'S ANSWER OR BOARD OF APPEALS DECISION |
|
AS | Assignment |
Owner name: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP, TEXAS Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P.;REEL/FRAME:037079/0001 Effective date: 20151027 |